About token acquiring (client side VS server side)

  • 29 Views
  • Last Post 08 May 2018
Iaroslav posted this 08 May 2018

Dear GFS developers, 

 

We would like to clarify the authentication process.

 

From documentation (Security):

> This authentication step is a server to server call that should be made from your webserver to GFS' identity server (link)

 

Is it really necessary to make a server to server call to obtain a token for a widget? It looks like it is used only by the widget on the client side. It would be an uncommon practice to use our server for obtaining a token, and then the widget will use it to work with your server. There is no difference in security as long as we expose the token for a client.  

Do you have any special reasons for not revealing Client ID and Client Secret to the client (JS code)? Do we have to put additional restrictions on token acquitting process? 

 

Sincerely,

 

IAROSLAV BARANOV 

Software Engineer (EPAM System)

We develop the integration on behalf of The Perfume Shop

Simon.Wilson posted this 08 May 2018

Hi Iaroslav,

The reason the token is authenticated server to server is that the client ID and secret are hidden this way, however if you do a client browser to server validation then the client ID and secret are visible to all who access the site and would then make the widget insecure. however when it is server to server authentication the client ID and secret are hidden on your server within the  files and the client browser does not see the ID or secret so the security cannot be breached on this.

 

Please let me know if you need any further assistance.

Kind regards

Simon

Close